CVE-2022-39266
isolated-vm has vulnerable CachedDataOptions in API
9.6
CRITICAL
CVSS 3.1
EPSS 0.27%
Description
### Impact If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept `cachedData` payloads from a user.
How to fix CVE-2022-39266
To remediate CVE-2022-39266, upgrade the affected package to a fixed version below.
- —upgrade to 4.3.7 or later
Is CVE-2022-39266 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.3.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |